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(54) Title: METHOD AND DEVICE FOR CRYPTOGRAPHICALLY PROCESSING DATA 
(57) Abstract 

In the event of 
cryptographically processing 
data, said data (X) and a key 
(K) are fed to a cryptographic 
process (P), which may be a 
known . process. In order to 
veil the nature of the process 
(P), there are fed auxiliary 
values to the process, such 
as a supplementary key (K*), 
using which a supplementary 
process (P*) generates the key 
proper (K). Hie combination 
of the original process (P) and 
the supplementary process (P*) 
provides an unknown process, 
the relationship between the 
supplementary key (K*) and the 

processed data (Y) being unknown. As a result, there is obtained an improved cryptographic security. 
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Method and device for cryptographically processing data. 

BACKGROUND OF THE INVENTION 

The invention relates to a method for cryptographically 
5 processing data, comprising feeding, to a cryptographic process, 

values, namely, the data and a key, and carrying out the process 
in order to form cryptographically processed data. Such method 
is generally known - 

For cryptographically processing data, in practice there 

10 are often applied generally known processes. Examples of such 

cryptographic processes (algorithms) are DES and RSA [DBS = Data 
Encryption Standard and RSA = Rives t, Shamir & AdlemanJ , which 
are described, e.g., in the book * Applied Cryptography* by B. 
Schneier (2nd edition) , New York, 1996. 

15 Said processes are published since it was assumed that, in 

the event of sufficiently large key lengths, it would be 
impossible, on the basis of the processed data, to retrieve the 
original data and/or the key, even if the cryptographic process 
were known. 

20 -Recently, however, there were discovered attacks which are 

based on knowledge of the cryptographic process. In other words, 
since the behaviour of the process is known, in the event of 
certain attacks it becomes considerably more simple to derive the 
key used and/ or the original data. It will be understood that 

25 such is undesirable. 

SUMMARY OF THE INVENTION 

The object of the invention is to solve the above problem 
by indicating a method and circuit, for carrying out a 

30 cryptographic process, which render the derivation of the key in 

the event of application of a known (i.e., public) cryptographic 
process considerably more difficult or even impossible. For this 
purpose, a method of the type referred to in the preamble 
according to the invention is characterised by feeding, to the 

35 process, auxiliary values in order to mask the values used in the 

process . 

By masking the date and/or key(s) it becomes considerably 
more difficult to derive aald values on the basis of the 
behaviour of the process. The result of the process, i.e., the 
40 collection of processed data, in the event of a suitable choice 

of the auxiliary values may be unchanged, i.e., identical to the 
result of the process, if no auxiliary values have been fed to 
it. In this connection, an "auxiliary value" is understood to 
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mean a value (data or key) which is fed to the process as a 
supplement to the corresponding data and key. 
The invention is therefore based on the insight that the 
derivation of the values used in a cryptographic process is 
5 rendered considerably more difficult if said values are masked 

using auxiliary values. 

The invention is partly based on the further insight that 
the use of auxiliary values does not necessarily affect, the 
outcome of the process. 
10 in a first embodiment of the invention, an auxiliary value 

comprises a supplementary key which is fed to a supplementary 
process in order to form the key. 

By applying a combination of a known process and a 
supplementary process, there is formed a new cryptographic 
15 process, unknown per se, even if the supplementary process is 

also known per se. 

By deriving the key used for the known process (primary 
key) from a supplementary key (secondary key) using a 
supplementary process > there is achieved that not the (primary) 
20 key of the known process but the supplementary (secondary) key is 

offered to the combination of processes. In other words, 
externally the supplementary (secondary) key, and not the real 
(primary) key of the process proper, is used. Derivation of the 
key from the original data and the processed data has thereby 
25 become impossible. In addition, the derivation of the 

supplementary key has been rendered seriously more difficult, 
since the combination of the original process and the 
supplementary process is not known. 

Said embodiment of the invention is therefore based, inter 
30 alia, on the insight that the being known of a cryptographic 

process is undesirable, such contrary to what was so far assumed. 
Said embodiment is also based on the further insight that attacks 
which elaborate on knowledge of the process become considerably 
more difficult if the process is unknown- 
35 The supplementary process preferably comprises a 

cryptographic process. This renders the derivation of the 
supplementary key more difficult. Basically, however, a simple 
encoding may be applied, e.g., as a supplementary process. In 
the event of a cryptographic process, there is preferably applied 
40 an auxiliary key. 

The supplementary process advantageously is an invertible 
process. This enables the application of the method according to 
the invention in existing equipment with minimum modifications. 
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If, e.g., a first device gives off a. (supplementary) key which is 
applied in a second device according to the invention, then in 
the first device there may he used the inverse of the 
supplementary process to derive the supplementary key from the 
5 original key. In other words, although in hoth the first and the 

second device internally the original (primary) key is used, 
there is exchanged, between the devices, the supplementary 
(secondary) key. Intercepting the supplementary key, however, 
does not result in knowledge of the original key. 

10 It may be advantageous if carrying out the supplementary 

process takes place exclusively if the data has predetermined 
properties. In this manner, cryptographic processing may be 
carried out for specific, selected data only, while such is 
blocked for all other data. In this manner, there is achieved a 

15 supplementary protection. 

An optimum security is provided if the process and the 
supplementary process are each constructed of several steps and 
in which there are alternately carried out steps of the process 
and the supplementary process. As a result, the properties of 

20 the known process are further veiled, as a result of which the 

derivation of the keys is further complicated. 

In a second embodiment of the invention, the process 
comprises several steps, each of which has a cryptographic 
operation for processing right-hand data derived from the data 

25 and a combinatory operation for combining, with the left-hand 

data derived from the data, the processed right-hand data in 
order to form modified left-hand data, in which the right-hand 
data, prior to the first step, is combined with a primary 
auxiliary value and the left-hand data is combined with an 

30 additional auxiliary value. As a result, the data used in the 

steps and transferred between the steps is masked. 

In order to make it possible for the primary and additional 
auxiliary values do not make themselves felt in the end result of 
the process, the right-hand data is combined, preferably 

35 immediately after the last step, with a further primary auxiliary 

value, and the modified left-hand data is combined with a further 
additional auxiliary value. 

In order not to have the result of the operations affected 
by the primary auxiliary values, the method according to the 

40 invention is preferably carried out in such a manner that the 

right-hand data, in each step and prior to the operation, is 
combined with the primary auxiliary value of said step. 
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A further protection is achieved, if the processed right- 
hand data, following the processing/ is combined with a secondary 
auxiliary value of said step. 

5 The secondary auxiliary value of a step is advantageously 

formed from the combination of the primary auxiliary value of the 
preceding step and the primary auxiliary value of the. next step. 
As a result, it becomes possible to compensate the auxiliary 
value in the repeatedly next step, as a result of which said ^ 

10 auxiliary value will not make itself felt in the end result of 

the process. 

It is possible to carry out the method according to the 
invention in such a manner, that all primary auxiliary values are 
equal. As a result, a very simple practical realisation is 
15 possible. The use of several auxiliary values, which are 

preferably random numbers and are generated anew for each time 
the process is carried out, however, offers a greater 
cryptographic security. 

A further simplification of said embodiment may be obtained 
20 if the primary auxiliary values and/ or secondary auxiliary values 

repeatedly have been . combined in advance with the operation in 
question. This is to say, combining with auxiliary values is 
processed in the operation in question (e.g., a substitution), in 
such a manner that the result of the operation in question is 
25 equal to that of the original operation plus one or two 

combinatory operations with auxiliary values. By in advance 
including in the operation the combinatory operations, a more 
simple and faster practical realisation is possible. 

Said combinatory operations are preferably carried out 
30 using an XOR operation [XOR = exclusive OR] . Other combinatory 

operations, however, such as binary adding, are basically 
possible as well. 

The invention further provides a circuit for carrying out a 
method for cryptographically processing data. In addition, the 
35 invention supplies a payment card and a payment terminal provided 

with such circuit. 

Below, the invention will be further explained on the basis 
of the exemplary embodiments shown in the figures. 



40 



BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 schematically shows a cryptographic process 
according to the prior art. 
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FIG. 2 schematically shows a first cryptographic process 
according to a first embodiment of the invention. 

FIG- 3 schematically shows a second cryptographic process 
according to a first embodiment of the invention. 
5 FIG. 4 schematically shows a way in which the processes of 

figures FIG. 1 and 2 may be carried out. 

FIG . 5 schematically shows a cryptographic process having 
several steps according to the prior art. 

FIG. S schematically shows a first cryptographic process 
10 according to a second embodiment of the invention. 

FIG. 7 schematically shows a second cryptographic process 
according to a second embodiment of the invention. 

FIG. 8 schematically shows a third cryptographic process 
according to a second embodiment of the invention. 
15 FIG- 9 schematically shows a circuit in which the invention 

is applied. 

FIG. 10 schematically shows a payment system in which the 
invention is applied. 

20 PREFERRED EMBODIMENTS 

A (cryptographic) process P according to the prior art is 
schematically shown in FIG. 1. To the process P, there are fed 
input data X and a key K. On the basis of the key K, the process 
P converts the input data X into C crypt ©graphically) processed 

25 output data Y: Y = P K (X) . The process P may be a known 

cryptographic process, such as DBS (Data Encryption Standard), 
triple DES , or RSA (Rivest, Shamir & Adleman) . 

If the input data X and the output data Y are known, it is 
basically possihle to derive the key K used. In the event of a 

30 key of sufficient length (i.e., a sufficient number of bits), it 

was so fax deemed impossible to derive said key, even if the 
process P were known. Impossible in this case is to say that in 
theory it is admittedly possible, e.g., by trying out all 
possible keys, to retrieve the key used, but that such requires 

35 an impossibly long computational time. Such tt brute- force attack" 

is therefore hardly a threat to the cryptographic security. 

Attacks recently discovered, however, make use of knowledge 
of the process, as a result of which the number of possible keys 
may be reduced drastically. Deriving the key K used and/ or the 

40 input data X from the output data Y therefore becomes possible 

within acceptable computational times. 

The principle of the invention, whose object it is to 
render such attacks considerably more difficult and time- 
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consuming, is schematically shown in FIG, 2. Just as in FIG . 1, 
to a (known) process P there are fed input data X and a (secret) 
key K to generate output data Y. 

Contrary to the situation of FIG. 1, in the situation of 
5 FIG. 2 the key K is fed to the process P from a supplementary 

process P* . The supplementary process P* has a supplementary 
(secondary) key K* as input data to produce, under the influence 
of an auxiliary key K' , the (primary) key K as output data. The 
key K is therefore not fed, as is the case in the situation of 
10 FIG. 1, from an external source (e.g., a memory) to the process 

P, but is produced by the process P* from the supplementary 
( secondary) key K* : 



15 



P* K < (K) 



It is therefore the secondary key K* , instead of the 
primary key K, which is predetermined and stored, e.g. , in a key 
memory (not shown) , According to the invention, the primary key 
K, which is fed to the process P, is not predetermined. 
20 The auxiliary key K' may be a permanently stored, 

predetermined key. It is also possible to apply a supplementary 
process P* in which no auxiliary key K' is used. 

The combination of the processes P and P* forms a new 
process which is schematically designated by Q. To the process Q 
25 which, on account of the supplementary process P* , is unknown per 

se, the input data X and the (secondary) key K* are fed to 
produce the output data Y. The relationship between the 
secondary key K* and the primary key K is veiled by the 
supplementary process P* . 
30 The supplementary process P* preferably is the inverse of 

another, invertible process R. This is to say: 

P* = R" 1 . 

35 This enables producing the secondary key K* from the 

primary key K using R and the auxiliary key K' : 

K* = R K . (K) , 

40 as will be further explained later by reference to FIG. 5. The 

new process Q may possibly be extended by the process R, in such 
a manner that the primary key K, instead of the s condary key K*, 



WO 00/41356 PCT/EP99/10208 

7 

is fed to the process Q. The primary - key K in this case in the 
process Q is derived from: 

K a P* K » (K* ) = P* K - <R K < <K) ) - 

This enables using the same (primary) key as in the prior 

art. 

The cryptographic process Q according to the invention, 
schematically shown in FIG. 3, also comprises a process P having 
a primary key K and a supplementary process P* having an 
auxiliary key K' ,- the primary key K being derived from the 
supplementary key K* by the supplementary process P* . 
Supplementing the process of FIG. 1, in this case the input data 
X is also fed to the supplementary process P*, in such a manner 
that the primary key K is determined partly as a function of the 
input data X: 

K = P* K , (K*,X) . 

As a result, there is obtained a supplementary 
cryptographic protection. In addition, as a result the 
possibility is offered to carry out the supplementary process P* 
exclusively if certain input data is offered. This is to say 
that the supplementary process P* may comprise a test of the 
input data X, and carrying out the supplementary process P* may 
depend on the result of said test. Thus, the supplementary 
process P*, e.g., may be carried out only if the last two bits of 
the input data X equal zero. The effect of such an input data- 
dependent operation is that only for certain input data X the 
correct primary key K will be produced in such a manner that only 
said input data will deliver the desired output data Y. It will 
be understood that as a result the cryptographic security is 
further enhanced. 

FIG. 4 schematically shows the way in which substeps of the 
processes P and P* may be carried out alternatingly 
( n inter leaving*) in order to further enhance the protection 
against attacks . The substeps may include so-called ^rounds" , 
such as,, e.g., in the case of DES . The substeps, however, 
preferably comprise only one or a few instructions of a program, 
with which the processes are being carried out. 

In a first step 101, there is carried out a first substep P x 
of the process P. Subsequently, in a second step 102, the first 
substep Pi* of the supplementary process P* is carried out. 
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Likewise, in a third step 103 , the second substep P 2 of the 
process F is carried out etc. This continues until, in step 110, 
the last substep P n * of the supplementary process P* has been 
carried out, it being assumed, for the sake of the example, that 

5 the processes P and P* comprise an equal number of substeps. If 

such is not the case, in step 110 there is carried out the last 
corresponding substep, and in further steps the remaining 
substeps are carried out. 

By alternating the substeps of the process P, which is 

10 known per se, and the process P* (possibly known per se as well) , 

there may be obtained a series of substeps which does riot 
correspond to that of a known process. As a result, the nature 
of the process is more difficult to recognise. 

The cryptographic process P schematically shown, only by 

15 way of example, in FIG. 5, according to the prior art comprises 

several steps B ± (i.e., S lf S 2 , , S a ) . In each step S ± , (right- 
hand) data KD± is fed to a cryptographic operation Fi. Said 
cryptographic operation may itself comprise a number of substeps, 
such as an expansion, a combination with a key, a substitution 

20 and a permutation which, however, have not been designated 

separately for the sake of the simplicity of the drawing. The 
cryptographic operation Ft provides processed data FD^: 



25 



FDt « Fi(RDi) 



In a combinatory operation CC ± (CCx, CC 2 , the index i always 

indicating the step S in question) , the processed data FD A is 
combined with left-hand data LD t to form modified (left-hand) 
data SDi which, just as the original right-hand data RD, is 
30 passed on to the next step. The combinatory operations CCt 

preferably are XOR operations (symbol: ©) . 

As is shown in FIG. 5, at the end of each step Si the 
modified left-hand data SDi and the right-hand data RD L change 
positions in such a manner that they form the right-hand data 
35 RDi+i and the left-hand data of the next step S 1+1 . 

The left-hand data LDx and the right-hand data KD 1 of the 
first step Si were derived, in a preceding operation, from input 
data X and, in doing so, may undergo a preparatory processing, 
such as an input permutation. The output data SD n and RD n of the 
40 last step S n form the processed data Y of the proces P, possibly 

after it has undergone a final operation, such as an output 
permutation PP" 1 . 
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The cryptographic process of FIGi 6 largely corresponds to 
that of FIG. 5. In accordance with the invention, the data 
present in and between the steps is masked with auxiliary values. 
For this purpose, in this embodiment the first step S t is 
5 preceded by (preparatory) combinatory operations DC and EC, which 

are preferably XOR operations as well. They combine the left- 
hand data LDi and the right-hand data RD 2/ respectively, which 
originate from the preparatory operation (PP) , with a 2eroth 
auxiliary value A© and a first auxiliary value The results of 

10 the combinatory operations DC and EC are left-hand masked data 

LD 1 ! and right-hand masked data RD X 1 , respectively (in the 
continuation of this text, masked data will be designated by an 
apos trophy) . The maskings make themselves felt in the subsequent 
steps. Since the left-hand data of the second step S 2 is equal 

15 to the masked right-hand data of the first step S x , said left- 

hand data IiD 1 2 is masked as well. The right-hand data RD 2 » of the 
second step is masked since it is equal to the masked, modified 
data SDx' - 

Combining the data LDi and RD ± with the auxiliary values A t 
20 therefore results in the modified data LDi 1 and RDi 1 being masked, 

as a result of which it is considerably more difficult to derive 
the original data X or the key used from the masked data LDi 1 and 
RDi ' . 

In order to remove the auxiliary values A A prior to the 

25 final operation (PP" 1 ) , there are provided completing combinatory 

operations FC and GC, which combine the modified and masked left- 
hand data SD' n of the last step S n with an auxiliary value ^ and 
the masked right-hand data RD n 1 with an auxiliary value A„, 
respectively. On account of Ai 0 At being zero in this manner the 

30 maskings are removed by the auxiliary values A iB As a result, it 

is possible to carry out the method in such a manner that, 
notwithstanding the use of the auxiliary values Ai, the final 
data Y is equal to that which would have been obtained by the 
conventional method according to FIG. 5. 

35 In order to exclude the effect of the auxiliary values A± on 

the results FD A of the operations F ± , in each step Si there is 
preferably present a supplementary combinatory operation AC 4 
which combines the right-hand data, RDi with a (primary) auxiliary 
value Ai before this data is fed to the cryptographic operation 

40 F iB The result of each supplementary combinatory operation AC± is 

non-masked right-hand data RDi, so that the cryptographic 
operation F ± works on the same data as in the process of FIG. 5. 
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There may be advantageously inserted a further combinatory 
operation BCj. between the cryptographic operation F± and the 
combinatory operation CC L with the purpose of combining the 
processed (right-hand) data FDi with a further (secondary) 

5 auxiliary value B±. As a result, there may be achieved a masking 

of the processed data FDi and a further masking of the (modified) 
left- hand data SDi 1 . The combinatory operations AC A and BCi 
preferably are XOR operations as well. 

In accordance with a further aspect of the invention, the 

10 auxiliary values Ai and B ± are related. The secondary auxiliary 

values Bi are formed, preferably using an XOR operation, from the 
first auxiliary value Ai.! of the previous step and the auxiliary 
value A i+X of the next step: 

15 Bi = Ai.x 0 A ±+1 . 

This results in each primary auxiliary value A i+1 which, using a 
further supplementary combinatory operation BCi, is combined with 
the processed right-hand data FD ± as an ingredient of the 
20 secondary auxiliary value B i# repeatedly being compensated in the 

next step, i.e. r step S i+1 , by means of a combinatory operation AC A 
before the right-hand data RD 1+1 is subjected to the operation Pi. 
The (masked) right-hand data IUV in question, which forms the 
(masked) left-hand data LD^i 1 of the still next step S±+ 2 are 
25 combined there with the primary auxiliary value A 1+ i and is 

compensated in this manner. The auxiliary value A 1+ i makes itself 
felt in the modified data SDi 1 t in such a manner that this 
remains masked between two steps. 

The left-hand data LDi of the first step S x is masked with 
30 the additional or zeroth (primary) auxiliary value Aq. By 

combining, with the secondary auxiliary value B z » Ao © A 2 , the 
initial auxiliary value Aq is removed (on account of Aq © Aq being 
zero) , but the auxiliary value A 2 and the masking achieved 
therewith are maintained. The zeroth auxiliary value Aq in this 
35 embodiment is preferably chosen equal to the first auxiliary 

value Ai. 

Although all primary auxiliary values Ai are preferably 
chosen different, with the exception of A 0 = A a , it is possible to 
choose all primary auxiliary values Ai equal. In this case, all 
40 secon dar y auxiliary values Bi in the embodiment shown will be 

equal to zero, so that the further combinatory operations BCi n&Y 
be omitted. The invention further applies to processes P which 
contain only one step S, or have a deviating structure. 
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In the process of FIG. 7, which largely corresponds to that 
of FIG. €, the combinatory operations ACi and BQ and the 
cryptographic operation Fi in each step are integrated to form a 
combined operation Fi' . Integrating the combinatory operations 
5 in the operations Fx is possible by suitably adjusting, e.g., a 

substitution table of the operation Fi. As a result, the 
supplementary combinatory operations ACi and BC± may be omitted 
and the result of the adjusted operation Fi' is equal to the 
result of the total of the operation P t proper and the 
10 combinatory operations: 

FDi' « Fi' (WV) = Bi 6 Fi (At 0 RDi') . 
Basically, each step Si requires a different combinatory 
operation F± in which various auxiliary values A A are integrated 

15 (see FIG. 6) . Only if the auxiliary values Ai are chosen equal, 

i.e., A x -A 2 = ... = A n/ the combinatory operations Fi in this 
embodiment may be equal . 

Each time the process is carried out, the values A A are 
p re f era i>ly chosen anew. For the process of FIG. 7, this means 

20 that the combined operations Fi* are then determined anew. Since 

the operations Fi T in many implementations will comprise the use 
of several tables, such as substitution tables, said tables will 
be determined anew each time the process P is carried out. In 
order to offer a supplementary protection against attacks, 

25 according to a further aspect of the invention the tables will be 

determined in random order. If a combined operation F A * 
comprises, e.g., eight tables, said eight tables will be 
determined in another order each time said operation Fi' is 
carried out anew. Said order may be determined on the basis of 

30 the contents of an order register, which contents may each time 

be formed by a random number originating from a random-number 
generator- On the basis of the contents of the order register 
there may each time be composed a fresh lookup table. Using the 
lookup table, the tables may be written to a memory and later be 

35 read out. 

According to a further aspect of the invention, 
supplementing this or instead thereof, the elements of each table 
may be determined and/or stored in random order. With this 
measure it is achieved that the protection against attacks is 

40 also improved. In this case, too, there may be applied a lookup 

table on the basis of which the elements may later be retrieved. 

The measures referred to above may also be applied in 
another embodiment of the invention, such as the one of FIG. 8, 
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or in completely different other processes, whether cryptographic 
or not . 

The embodiment of FIG. 8 largely corresponds to that of 
FIG. 7. Supplementing FIG. 7, each step St, with the exception 
5 of the last step S n , includes a combinatory operation HC* which 

combines the right-hand data RD± with a tertiary auxiliary value 
Wi. The tertiary auxiliary value preferably equals the XOR 
combination of the auxiliary values Ao and A a : 

10 W = A 0 0 A 2 , 



where A© ^ A x « 

This results in the operation HCi always adding the zeroth 
auxiliary value Ao and compensating the first auxiliary value A*. 

.15 As a result, it is possible that all cryptographic operations F ± 

are essentially identical, which requires a much, smaller 
processing and/or storage capacity from a processor system with 
which the method is carried out. In the embodiment of FIG. 8, 
the operations Fi" are such adjustments of the original 

20 operations F i# that these are corrected for the auxiliary value A x 

and in addition combine the tertiary auxiliary value W = A<, © A x 
with their result. In other words, if RD ± ® A a is fed to F n , the 
result will be equal to 
FD i I =F 1 (RD 1 ) © W. 

25 It will be understood by those skilled in the art that the 

combinatory processes ACi, BCi and HCi may be carried out in 
different locations in the cryptographic process P to achieve a 
comparable or even identical effect. 

FIG. 9 schematically shows a circuit 10 for implementing 
30 the method according to the invention. The circuit 10 comprises 

a first memory 11, a second memory 12 and a processor 13, the 
memories 11 and 12 and the processor 13 being coupled using a 
data bus 14. By providing two memories, it is possible each time 
to carry out a substep of one of the processes P and P* (see FIG. 
35 4), to store the result of said substep in, e.g., the first 

memory 11, and from the second memory 12 to transfer a previous 
interim result from the other process to the processor 13 . In 
this manner, it is possible to efficiently carry out the 
alternating computation of substeps of two different processes. 
40 The payment system schematically shown in FIG. 10 comprises 

an electronic payment means 1 and a payment station 2 . The 
electronic payment means 1 is, e.g., a so-called smart card, 
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i.e., a card provided with an integrated circuit for storing and 
processing payment data. The payment station 2 comprises a card 
reader 21 and a processor circuit 22 . The processor circuit 22 
may correspond to the circuit 10 of FIG. 9. 

At the beginning of a transaction, the payment means 1 
transmits an identification (card identification) ID to the 
payment station 2. By reference to said identification, the 
payment station 2 determines a key which will be used for said 
transaction. Said identification ID may be fed as input data X 
{see the figures 1-3) to a cryptographic process which, on the 
basis of a master key MK, produces an identification-dependent 
transaction key K ID as output data Y. In accordance with the 
invention, for this purpose the process shown in the figures FIGi 
2 and 3 is used, the master key MK having been converted in 
advance, using a process R, into a supplementary master key MK* . 
Said supplementary master key MK* is now fed, preferably together 
with the identification ID, in accordance with FIG. 3, to the 
supplementary process P* in order to reproduce the original 
master key MK and to derive the transaction key Ku, from the 
identification ID. 

Although, in the figures FIG. 2 and 3, there is always 
shown one single supplementary process P*, there may possibly be 
used several processes P*, P**, p***, . . in series and/ or in 
parallel to derive the primary key K. 

It will be understood by those skilled in the art that many 
modifications and amendments are possible without departing from 
the scope of the invention. 
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CLAIMS 

1. Method for crypt ©graphically processing data, comprising 
feeding, to a cryptographic process (P) , values, namely, the data 
5 (X) and a key (K) , and carrying out the process (P) in order to 

form cryptographically processed data (Y) , characterised by 
feeding, to the process (P) , auxiliary values (K* ; A, B) in order 
to mask the values (K; D) used in the process (P) . 

10 2 - Method according to claim 1 , wherein an auxiliary value 

comprises a supplementary key (K*) which is fed to a 
supplementary process (P*) in order to form the key (K) . 

3 . Method according to claim 2 , wherein the supplementary 
15 process (P*) comprises a cryptographic process to which an 

auxiliary key (K 1 ) is fed. 

4. Method according to claim 2 or 3 , wherein the supplementary 
process <P*) is an invertible process. 

5. Method according to claim 2, 3 or 4, wherein the data (X) 
is also fed to the supplementary process (P*) . 

6. Method according to claim 5, wherein carrying out the 

25 supplementary process (P*) takes place exclusively if the data 

(X) has predetermined properties . 

7. Method according to any of the claims 2-6, wherein the 
process (P) and the supplementary process (P*) each are built up 

30 from a number of steps, and wherein steps of the process (P) and 

the supplementary process (P*) are alternated. 

8. Method according to any of the preceding claims, wherein 
the process (P) comprises a number of steps (Si) , each having a 

35 cryptographic operation (F ii Fi 1 , Fi n ) for processing right-hand 

data (RDi) derived from the data (X) and a combinatory operation 
(C ± ) for combining with left-hand data (IiDi) also derived from the 
data (X) , the processed right-hand data (FD ± ) in order to form 
modified left data (SDi) , and wherein the right-hand data (RD X ) is 

40 combined with a primary auxiliary value (Ax) prior to the first 

step (Si) and the left-hand data CLD^) is combined with an 
additional auxiliary value (Aq) . 
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9. Method according to claim 8 wherein, immediately after the 
last step <S n ) , the right-hand/ data (RD n ) is. combined with a 
further primary auxiliary value (An) and the modified left-hand 
data (SD n T ) is combined with a further additional auxiliary value 

5 (A^) . 

10. Method according to claim 8 or 9, wherein the right-hand 
data (RDi) is combined, in each step (Si) and prior to the 
operation (Fi'), with the primary auxiliary value (Ai) of said 

10 step (SJ . 

11. Method according to claim 10, wherein the processed right- 
hand data (FDi) is combined, following the operation (F ± ) , with 
the secondary auxiliary value (Bi) of said step (S±) . 

15 

12. Method according to claims 10 and 11, wherein the secondary 
auxiliary value (Bi) of a step (Si) is formed from the combination 
of the primary auxiliary value (Ai-i) of the preceding step and 
the primary auxiliary value (A i+1 ) of the next step. 

20 

13. Method according to any of the claims 8-12 , wherein all 
primary auxiliary values (At) are equal - 

14. Method according to any of the claims 9-13, wherein the 
25 primary auxiliary values (Ai) and/or secondary auxiliary values 

(Bi) have each time been combined with the respective operation 
(Fi) in advance. 

15. Method according to claim 14, wherein a combined operation 
3.0 (Fi 1 ) contains several tables, and wherein the tables are 

determined in a different order each time the process (P) is 
carried out. 

16. Method according to claim 14 or 15, wherein a combined 

35 operation (Fi 1 ) contains several tables, and wherein the elements 

of the tables are determined and/ or stored in a different order 
each time the process (P) is carried out. 

17. Method according to claim 16, wherein the order is stored 
as a lookup table for the benefit of reading out the elements. 

40 

18. Method according to any of the claims 8-17, wherein the 
right-hand data (RDi) is combined with a tertiary auxiliary value 
<Wi) after each step (Si) . 
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19- Method according to claim 18, wherein the tertiary 
auxiliary value (Wi) in all steps, except the last one (S n ) is 
equal to the combination of the primary auxiliary value of 
the first step (S a > and the additional auxiliary value (A 0 ) > and 
in the last step (S n ) is equal to zero. 

20. Method according to any of the claims 8-19, wherein 
combining is carried out using an XOR operation. 

21. Method according to any of the preceding claims, wherein 
the data (X) comprises identification data of a payment means (1) 
and the processed data (Y) forms a diversified key. 

22. Method according to any of the preceding claims, wherein 
the process <P) comprises DES, preferably triple DES . 

23. Circuit (10) for carrying out the method according to any 
of the preceding claims. 

24. Payment card (1) , provided with a circuit (10) according to 
claim 23 . 

25. Payment terminal (2) provided with a circuit (10) according 
to claim 23 . 
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